Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/apache/cordova-plugin-whitelist

[DEPRECATED] Apache Cordova - Whitelist Plugin
https://github.com/apache/cordova-plugin-whitelist

cordova cplusplus csharp java javascript library mobile nodejs objective-c

Last synced: about 3 hours ago
JSON representation

[DEPRECATED] Apache Cordova - Whitelist Plugin

Awesome Lists containing this project

README 

        
---

title: Whitelist

description: Whitelist external content accessible by your app.

---



# cordova-plugin-whitelist



This plugin implements a whitelist policy for navigating the application webview on Cordova 4.0



### Deprecation Notice



With the Allow List functionality now integrated into the core of Cordova Android (10.x and greater), this plugin is no longer required.



Existing projects using Cordova Android 10 or greater should remove this plugin with the following command:



```bash

cordova plugin rm cordova-plugin-whitelist

```



## Installation



You can install whitelist plugin with Cordova CLI, from npm:



```

$ cordova plugin add cordova-plugin-whitelist

$ cordova prepare

```



## Supported Cordova Platforms



* Android 4.0.0 or above



## Navigation Whitelist



Controls which URLs the WebView itself can be navigated to. Applies to

top-level navigations only.



By default navigations are only allowed to `file://` URLs. To allow others URLs, you must add `` tags to your `config.xml`:



```xml



```



Quirks: on Android it also applies to iframes for non-http(s) schemes.



## Intent Whitelist



Controls which URLs the app is allowed to ask the system to open.



In `config.xml`, add `` tags, like this:



```xml



```



Without any `` tags, no requests to external URLs are allowed. However, the default Cordova application includes a quite liberal set of `allow-intent` entries by default. It is advised to narrow this down based on each app's needs.



On Android, this equates to sending an intent of type BROWSEABLE.



This whitelist does not apply to plugins, only hyperlinks and calls to `window.open()`.



Note: `allow-navigation` takes precedence over `allow-intent`. Allowing navigation to all URLs with `` for example has the side effect of "capturing" all intents, so the webview navigates to them instead of triggering e.g. external apps.



## Network Request Whitelist



Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks).



Note: We suggest you use a Content Security Policy (see below), which is more secure.  This whitelist is mostly historical for webviews which do not support CSP.



In `config.xml`, add `` tags, like this:



```xml



```



Without any `` tags, only requests to `file://` URLs are allowed. However, the default Cordova application includes `` by default.



Note: Whitelist cannot block network redirects from a whitelisted remote website (i.e. http or https) to a non-whitelisted website. Use CSP rules to mitigate redirects to non-whitelisted websites for webviews that support CSP.



Quirk: Android also allows requests to https://ssl.gstatic.com/accessibility/javascript/android/ by default, since this is required for TalkBack to function properly.



### Content Security Policy



Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).



On Android and iOS, the network request whitelist (see above) is not able to filter all types of requests (e.g. `` & WebSockets are not blocked). So, in addition to the whitelist, you should use a [Content Security Policy](http://content-security-policy.com/) `` tag on all of your pages.



On Android, support for CSP within the system webview starts with KitKat (but is available on all versions using Crosswalk WebView).



Here are some example CSP declarations for your `.html` pages:



```html



```